By Elizabeth McElhiney, MHA, CHPS, CPHIMS, CRIS
Director of Compliance and Government Affairs
Verisma
September 30, 2024

Annoyed and confrontational requestors may challenge the content provided in response to a request for medical records because they don’t think they received the precise information requested. These complaints can happen when requestors are unfamiliar with the minimum necessary standard.

If your organization adheres to its policies, it’s likely you’re compliant with HIPAA provisions despite pushback from requestors. Your organization isn’t required to spend hours sifting through the medical records and parsing out information to spare a requestor spending time to locate the information they deem relevant.

What’s HIPAA minimum necessary standard?

Covered entities and business associates are required by the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule)[1] to take reasonable efforts to limit the release of protected health information (PHI) to the minimum necessary to accomplish the intended purpose of the request,[2] often referred to as the minimum necessary standard. It’s designed to be flexible and places the authority with the covered entity to determine implementation.[3]

How does the minimum necessary requirement rule work?

A healthcare organization must develop and implement policies and procedures appropriate for its organization and reflect the business practices and workforce. The organization’s policies and procedures must identify who needs access to PHI to fulfill job responsibilities, categories of PHI needed, and conditions where access is appropriate. For instance, a hospital can permit doctors, nurses or others involved in treatment to have access to the full medical record. When the entire medical record is necessary, the organization’s policies and procedures must state so and include a justification.

When does the minimum necessary standard not apply?

• Healthcare providers making a request for treatment purposes
• Patients when they request for their records
• Requests with valid authorization
• Requests required for compliance with HIPAA Administrative Simplifications Rules
• U.S. Department of Health and Human Services (HHS) requests for disclosure of information required under the Privacy Rule for enforcement purposes
• When the request is required by law

Who decides what’s minimum necessary?

A covered entity may rely on its business associate re: the minimum amount of information needed for a reasonable request to disclose PHI. Covered entities can defer to Verisma and let us handle the burden. As a trusted business associate, we provide requestors with the right information. Covered entities entrust us with PHI, and we have an obligation to disclose information correctly. We’ve developed policies and procedures for implementing the minimum necessary standard so our fulfillment of applicable requests is compliant with the Privacy Rule.

Verisma and your minimum necessary policy

We do what’s in the best interest of our clients. During the implementation process, we’ll work together to make sure we have a clear understanding of what minimum necessary means for your organization.

Learn more by contacting our team of healthcare data experts.

[1] 45 CFR Part 160 and Part 164, Subparts A and E
[2] 45 CFR 164.502(b)
[3] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html

By Elizabeth McElhiney, MHA, CHPS, CPHIMS, CRIS
Director of Compliance and Government Affairs
Verisma
August 30, 2024

In most electronic health record (EHR) systems, patients have one chart all providers within that organization share. Additionally, providers may receive and make treatment decisions based on records from providers outside of the organization. When a practice receives a record request for a provider to fulfill, should they only limit the records generated by that provider? Or include all records in the patient chart, even if from other providers?

What is the designated record set?

To know what to include, you’ll need to start with the designated record set. The HIPAA Privacy Rule indicates when a patient or requestor asks for a medical record, the information in the designated record set may be disclosed. The Privacy Rule defines the designated record set as:

• Medical and billing records about individuals maintained by, or for a, covered healthcare provider
• The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan
• Other records used, in whole or in part, by or for the covered entity to make decisions about individuals

Any record a provider uses for treatment decisions, generated by him or her, is part of the designated record set. If a provider references outside notes or labs from another provider, they become part of the designated record set. Multiple providers in an organization may use the same patient chart and have the same designated record set for the patient.

What do I release?

There’s often confusion over what to release when a designated record set includes records from multiple providers. An authorization, or Right to Access, request often indicates where the records should come from, but it’s the what that’s often most important.

If the request is directed at a specific doctor or organization and states “any and all records,” this indicates the designated record set utilized in caring for the patient. The designated record set could include labs and office visit notes from an outside provider if those records were used for treatment purposes. It’s rare for a provider to utilize only records created in the care of a patient.

However, if the request says “any and all records created by or limited to” a specific doctor or organization, this limits the authorization or access request to only those specified records – the what in this scenario has changed. So, the designated record set would be limited to the what specified in the request.

For most release of information (ROI) requests, it’s important to receive the appropriate records referenced in caring for the patient. This typically includes the entire designated record set and isn’t a restriction on what provider created the information. Occasionally requestors claim this scenario constitutes a HIPAA violation because the records provided have more than one provider name included. Requests for a provider’s records are for his or her designated record set. Because the designated record set may contain information from other providers, and requests for the provider’s records are asking for his or her designated record set, providing records from other providers doesn’t constitute a HIPAA violation or breach.

Release record requests to a partner

If record requests and compliance concerns take too much of your staff’s valuable time, consider releasing this administrative burden to a partner. Verisma processes hundreds of millions of requests annually with the industry’s highest accuracy rate. If you need to focus more on patient care and leave record requests and compliance questions to a partner, request a demo today to see how we can help.

By Elizabeth McElhiney, MHA, CHPS, CPHIMS, CRIS
Director of Compliance and Government Affairs
Verisma
July 12, 2024

Combine the words HIPAA, protected health information (PHI) and email, and you’ve just found a topic that’ll leave many healthcare professionals uneasy. Nevertheless, email is frequently used for sharing PHI with patients and their caregivers. All healthcare organizations should develop policies and procedures to comply with HIPAA while delivering PHI via email.

It’s not as simple as citing a policy forbids emailing PHI. One of the key initiatives of the Office of Civil Rights (OCR) is to increase access for patients to their health information, including unencrypted email. So, while it may seem counterintuitive to email patients medical records and health information, providers and healthcare organizations may need to do exactly that to meet a patient’s requested format.

Why use email to send PHI?

As our world becomes more reliant on technology to communicate and manage our daily lives, the healthcare industry has seen their own technological revolution with electronic health records (EHR), e-prescribing, patient portals, wearable tech, and many other advancements. With email a main means of communication, it’s only natural patients would like to communicate in a way they’re familiar with.

Many healthcare organizations have their own email systems needed to function for business. But when it comes to communicating with patients, practices are often confused over what they can, and cannot, do. The U.S. Department of Health and Human Services (HHS) provides guidance on emails used in healthcare. They note the HIPAA Privacy and Security Rules don’t prohibit the use of email but do require proper policies and procedures to protect PHI. Guidance on a patient’s right to access their PHI underscored the ability for patients to request this information via email. And they consider email to be readily producible by nearly all covered entities, with exceptions if a file is too large to transmit via email.

While practices should defer to utilizing secure, encrypted email while transmitting PHI, the guidance from the OCR indicates if a patient wants their PHI to be delivered via unencrypted email, covered entities and business associates must comply.

How can I send an unencrypted email with PHI? Isn’t that against HIPAA?

Sending PHI via unencrypted email doesn’t violate HIPAA, but covered entities and business associates must take reasonable steps to ensure patients understand and acknowledge the risk of unsecured email transmission. The OCR provided this guidance because they want patients to easily receive their PHI in accordance with their right to access PHI.

In an interview with Report on Patient Privacy, Deven McGraw, Deputy Director of the HHS OCR, said, “We are trying to make it as easy as possible [for people] to exercise their HIPAA rights in a way that works best for them. But it is not meant to be a sort of blanket, ‘Get Out of Jail Free’ card on security.”

Meaning, if a patient requests their records be delivered via unencrypted email, the covered entity or business associate must comply with the request after assurance from the patient they understand the risk of unsecured email. Denying a patient their access request be sent via unsecured email could mean an OCR complaint.

But isn’t email a breach waiting to happen?

Email can be difficult to protect at rest and in transit. It’s important healthcare organizations follow industry best practices for utilizing email, which typically include dual authentication and encryption, to prevent a PHI breach.

Unsecure email is much more difficult to protect. If a patient acknowledges, verbally or in writing, the risks of their PHI being sent via unsecure or unencrypted means, the patient accepts the risk of potential disclosures occurring in transit, or upon arrival, to the intended email address.

Considerations for delivering PHI via email

With email a frequent transmission method for PHI, healthcare practices need to consider the risks and best practices for utilizing email in their own organization.

Some initial suggestions for appropriately transmitting email include:

• Servers containing email should be encrypted.
• When communicating PHI externally, utilize encrypted email technology.
• Ensure all staff are trained on email best practices.
• Develop a policy and procedure for working with patients when the PHI file size is too large to be delivered via email.
• Develop a policy and procedure to alert patients to the risks of delivering PHI via unencrypted or unsecure email.
• Create your duty to warn statement and receive written or verbal confirmation.
• If the email address is received verbally, confirm the address using the NATO Phonetic Alphabet.

Rely on a partner to navigate the changing regulatory landscape

With the rapid evolution of technology, it can be difficult to keep up with the regulatory landscape of what is, and isn’t, allowed – all while trying to avoid an unauthorized disclosure (UAD). Luckily, covered entities can work with business associate partners like Verisma to handle PHI disclosures – transferring the work burden and duty to warn.

And, while many patients can access data via portals, Verisma Request App® (VRA) opens up secure electronic delivery to third-party requestors, such as commercial health plans and attorneys – offering the same record-ordering convenience enjoyed by patients – and avoids the risks associated with email all together.

Does emailing PHI (encrypted or unencrypted) seem like more work than it’s worth? Our healthcare data experts are extensively trained in PHI delivery best practices including utilizing encrypted and unencrypted email, as well as responding to complicated right to access requests. We’ll take on these tricky situations for you. Find out how we relieve the burden of PHI email exchange by requesting a demo today.

By Elizabeth McElhiney, MHA, CHPS, CPHIMS, CRIS
Director of Compliance and Government Affairs
Verisma
June 20, 2024

Under Health Insurance Portability and Accountability Act (HIPAA) Privacy Law, there’s a distinction between mental health records, part of a patient’s overall medical record, and psychotherapy notes, which are provided special consideration to be separate pieces of information. Healthcare professionals shouldn’t consider extra privacy protections afforded to psychotherapy notes as applicable to general mental health records, or the overall care and treatment of a patient could be impacted. We discuss how clients wish to label mental/behavioral records within their patients’ medical records. As with any HIPAA regulations, circumstances occur in which state laws supersede regulations set by federal law, so it is imperative health organizations understand their state laws. Our documentation and process adjusts to state when extra patient authorization is required for such information to be released. This information isn’t meant to be legal counsel, rather it’s a general guide to understanding the intricacies of HIPAA regulation.

Mental Health Records vs. Psychotherapy Notes

The U.S. Department of Health and Human Services (HHS) distinguishes between mental (which includes behavioral) health records compared with psychotherapy notes. HHS states, “Psychotherapy notes are treated differently from other mental health information both because they contain particularly sensitive information and because they are the personal notes of the therapist that typically are not required or useful for treatment, payment or health care operations purposes other than by the mental health professional who created the notes.”

HHS uses the HIPAA Privacy Rule to define psychotherapy notes “as notes recorded by a healthcare provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint or family counseling session and that are separate from the rest of the patient’s medical record.”

Mental health records, on the other hand, are considered to fall within general protected health information (PHI) and be part of the general health record. HHS outlines psychotherapy notes aren’t inclusive of medical prescriptions, session start and stop times, frequency of treatment, clinical tests, summaries of diagnosis, symptoms, prognosis, etc. These pieces of information are considered mental health records, thus part of the patient’s general medical record. It’s important to always consider individual states may have their own definition of mental or behavioral health. In these cases, you’ll want to know and understand any differences between state and federal definitions so you can determine if you need to apply additional privacy protections. As patients move between different healthcare providers, its critical health information be appropriately documented and shared for proper continuity of care of the patient. Diagnosis and medication information is imperative for any healthcare provider to properly and confidently provide care to a patient. Because mental health records and psychotherapy notes differ, HHS outlines they’ve different protections under the Privacy Rule: “Generally, the Privacy Rule applies uniformly to all PHI, without regard to the type of information. One exception to this general rule is for psychotherapy notes, which receive special protections.” Records related to mental health don’t receive these extra protections because they’re considered part of the general record. This distinction means thought and care should be put into how this information is stored and possibly shared, as most are not privy to the sensitive information contained in psychotherapy notes.

As organizations continue to implement protocols for managing medical records, they must consider how mental health records and psychotherapy notes differ in content and storage. Best practices state mental health records be stored within the patient’s general medical chart, while psychotherapy notes should be stored separately from the patient’s general medical record. If an organization wishes to store the psychotherapy notes within their electronic health record (EHR) system, special naming and filing standards should be documented and communicated. Staff members should be trained on the differences between psychotherapy notes and mental health records. Mental health records should be coded as such and included in the patient’s general electronic record. The psychotherapy notes should then receive an individualized designation which communicates the relevant patient while not being added to that patient’s general medical record.

Professional Discretion and Extenuating Circumstances

The term “professional discretion” is used throughout medical records regulatory law, pertaining to the rules surrounding psychotherapy notes. Healthcare providers maintain professional discretion on when and what information should, or shouldn’t, be released. Circumstances pertaining to family access to psychotherapy notes, law enforcement inquiries, and third-party requestors are especially dependent on this caveat to determine compliance.

The importance of professional discretion serves to indicate how critical it is organizations maintain a well-articulated system for the storage of psychotherapy notes. An example of professional discretion playing a part in the release of psychotherapy notes would be if a provider felt there was an imminent threat of a patient causing harm to themselves or others. A provider must use their professional discretion to determine if the situation meets the requirements for disclosure of psychotherapy notes to law enforcement for the purpose of prevention.

Patient Access to Psychotherapy Notes

As dictated by the HIPAA “Right to Access” provision, a patient must be allowed to gain access to their current medical records as defined by an organization’s “designated record set” in a timely manner, without undue burden. If the maintenance and contents of mental health professional’s notes fall within the definition of psychotherapy notes as defined in the Privacy Rule, they aren’t to be considered part of an organization’s designated record set, or the patient’s medical record. Since psychotherapy notes fall under this Privacy Rule exception, covered entities aren’t obligated to release a patient’s psychotherapy notes pertaining to their treatment. It’s of great importance the psychotherapy notes are maintained separately, or clearly noted as separate, from the patient’s medical record. If this step isn’t taken, the Privacy Rule exception doesn’t apply and a records custodian must include the notes when releasing information.

Third-party Requestors

If a third-party requestor is seeking to obtain medical records from the healthcare organization, the records custodian should follow normal protocol seeking required authorization. If psychotherapy notes relating to the requested records are also present at the organization, it must seek separate patient authorization – which states psychotherapy notes may be included – before releasing the notes to the third-party requestor. This is of paramount importance as inappropriate release of psychotherapy notes is noncompliant and may have undesirable effects for the related patient.

By Elizabeth McElhiney, MHA, CHPS, CPHIMS, CRIS Director of Compliance and Government Affairs
Verisma
May 17, 2024

I recently had the honor to moderate a panel with really engaging, super bright, and deeply invested panelists who are looking at patient access from three perspectives:

• Health Information Management (HIM)
• Patient
• Patient Advocate

Key Challenges

We discussed how many places HIM professionals need to go to assemble a patient’s complete medical record within one organization. Chances are high that it’s not one electronic medical record (EMR). Often, hospital records and outpatient clinical records are in multiple systems. There’s also paper, microfiche, independent labs, imaging, and coordination with different providers and pharmacies to tackle. From a patient and patient advocate perspective, navigating the U.S. healthcare system to access protected health information (PHI) is also far from easy. In some states, consumers need more than one consent to release information. There are numerous usernames and passwords to remember when trying to access portals. These pose challenges even before acknowledging language and literacy barriers. Anna McCollister, member of the Sequoia Project’s Board of Directors and advisory committee member for the Health IT Advisory Committee (HITAC) at the Office of the National Coordinator for Health Information Technology (ONC), perfectly illustrates the complexity of living with complex, chronic disease. She’s asking health technology companies to think beyond what they’re in charge of. For consumers to feel less of a burden, health tech needs to understand their focus area is part of a much larger picture. Anna’s requesting a seamless platform, so consumers can see all their data in one place – saving valuable time and effort. This tool is even more important for patients who aren’t feeling 100 percent, and don’t have excess energy to give.

Managing PHI

Vong Miphouvieng, Vice President of HIM and Clinical Documentation Integrity at a large health system in Texas, agrees EMRs have made it somewhat easier to access data, but not everyone wants to use a patient portal. They partnered with Verisma to simplify access, creating a consumer-focused health system. With interoperability, patient information can now be obtained from one location. No matter where consumers receive care, there’s one phone number, one website, one email, one place they get all their health information. The provider also extended call-center hours, making it easier to access information in myriad ways via portal, snail mail, or walk-in – providing various methods to fit consumer needs.

Veronica Richardson, Vice President of Integrity at Preferred Family Healthcare (PFH), details challenges their transient clients have with mobility. Some don’t have smartphones to request information, and staff can’t always contact them either. They’ve also centralized the release of information (ROI) process so there’s one Dropbox. No matter where patients receive care, they can request records from PFH.

Government’s Role

Data rights need to be more visible when consumers are trying to access information in their provider’s office or in a patient portal. Required alerts describing patient rights, what’s available to be accessed in a portal, and who to contact if consumers can’t access data in a timely manner, need to be front-and-center – along with government contact information to report violations.

Bottom Line

We’ve been talking about interoperability for years, but there’s more work to be done to achieve seamless information sharing between healthcare providers and from one EMR to the next. The process to download, print, mail, and PDF data for integration into the receiving provider’s EMR is still daunting. Consumers are rightfully demanding faster turnaround times, and interoperability is the key for better patient access. The good news? We all know what’s needed. Together, we can define the remaining barriers, outline what’s keeping us from knocking them down, and define how we can work with the healthcare ecosystem and policy makers to get us to true interoperability.

Verisma

April 18, 2024

By January 2026, all certified electronic health record (EHR) users must comply and exchange information per the Trusted Exchange Framework Common Agreement (TEFCA). My colleague, Roberta Baranda, past president of the California Health Information Association (CHIA) and health information management (HIM) director at Valley Children’s Hospital spoke about TEFCA several years ago. I looked it up and thought, another government regulation to enforce what we’ve all been needing, wanting and working towards for many years, interoperability. If all of us are on the same page about interoperability, why is it so difficult to achieve?

An unprecedented amount of data is being collected across a diversity of sectors, which, if harnessed, could transform public health decision-making. Yet significant challenges stand in the way of such a vision, including the need to establish standards of data sharing and interoperability, the need for innovation in both methodological approaches and workforce models, and the need for data stewardship and governance models to ensure the protection and integrity of the public health data system. (Martin, et. al., 2022)

Why’s the Government Weighing in on Interoperability? Better Patient Outcomes

All healthcare professionals agree there’s a need for a viable, reliable method, and framework for health information to be exchanged. Most everything we do in health information ultimately results in trusted info being exchanged. When we analyze charts, the purpose is to ensure completeness of the record so the recipient will have the patient’s full story. When we code a record, the data are captured for research recipients and the payers to receive information pertaining to cost of care. Document imaging specialists ensure paper records are incorporated into the electronic version of the chart to provide continuity of care. Of course, clinicians feverishly document care of the patient knowing information will result in better outcomes or prevention of further illness.

Federal efforts may address some impediments to electronic health information exchange. Specifically, the Trusted Exchange Framework and Common Agreement being implemented by the Office of the National Coordinator for Health Information Technology (ONC)—which aims to describe a common set of nonbinding principles to help facilitate exchange among health information networks—may mitigate costs providers face by providing a simpler approach to connecting with other providers. However, stakeholders noted that participation in this effort is voluntary and does not address issues like information technology staffing shortages and gaps in broadband access that pose particular challenges to electronic exchange for small and rural providers. (Gordon, 2023)

Health Information Access Challenges

The government mandate speaks to the importance of access to health information. The vision of our national organization, American Health Information Management Association (AHIMA) is “A world where trusted information transforms health and healthcare by connecting people, systems, and ideas.” Can TEFCA be the conduit for us to get there? The National Institutes of Health (NIH) addresses implications and solutions for interoperability challenges, including a copious amount of health data with outdated workforce models, and numerous resource constraints.

Data science and technology companies continue to be on the cutting edge of information exchange. As such, the data science and technology sector has the expertise to help mitigate and solve challenges within legacy data systems… departments working within a resource-constrained environment and a workforce whose expertise is focused on health, rather than technology. In addition, to increase accuracy and efficiency, there is a need to develop processes for timely data sharing that require minimal human effort. (Martin et. al, 2022)

TEFCA Guidance Resources: ONC and AHIMA

During the February Verisma Academy webinar, Elisabeth Myers, Deputy Director, Office of Policy, ONC, presented an on-demand course with solid, actionable information that’s really worth checking out: Exploring HTI-1, TEFCA and AI in Healthcare – Where Are We in 2024?

Separately, AHIMA provided a two-page guideline on what TEFCA means for provider organizations, underlining the idea that when orgs exchange information through Qualified Health Information Networks (QHINs), “there’s increased focus on how to expand use cases and make a broader impact.” In terms of adaptability, “TEFCA will be able to grow and adapt as needed to ensure it serves user needs,” including “a three-year roadmap for the TEFCA to begin utilizing the Fast Healthcare Interoperability Resource (FHIR).”

Will TEFCA Help Solve Interoperability Challenges?

At the very least, TEFCA has us discussing this important topic and moving in a unified direction as an industry. Providers who struggle with resources to stay on top of what these regulations mean, or how to operationalize them, can lean on external partners who’ve expertise in this space – ultimately benefiting everyone.

I’m proud to work for a company fostering interoperability with technology-rich tools mitigating human error. We help provider partners manage the deluge of incoming records, care coordination processes, and sharing information — with privacy and security at the forefront. We’re also passionate about becoming your trusted partner.

References:

www.ahima.org; What Does the TEFCA Mean for Your Organization?
https://ahima.org/media/zw3hx0c3/tefca_summary_fin.pdf

Martin LT, Nelson C, Yeung D, Acosta JD, Qureshi N, Blagg T, Chandra A (2022) The issues of interoperability and data connectedness for public health. Big Data 10:S1, 19–24, DOI: 10.1089/big.2022.0207.

Gordon, L. (2023) Electronic Health Information Exchange: Use Has Increased, but Is Lower for Small and Rural Providers. GAO-23-105540; Published: Apr 21, 2023.
https://www.gao.gov/products/gao-23-105540.